Unexpected reboot: Necurs

Necurs is a prevalent threat in the wild at the moment – variants of Necurs were reported on 83,427 unique machines during the month of November 2012.

Necurs is mostly distributed by drive-by download. This means that you might be silently infected by Necurs when you visit websites that have been compromised by exploit kits such as Blackhole.

So what does Necurs actually do? At a high level, it enables further compromise by providing the functionality to:

Download additional malware

Hide its components

Stop security applications from functioning

In addition Necurs contains backdoor functionality, allowing remote access and control of the infected computer. Necurs also monitors and filters network activity and has been observed to send spam and install rogue security software. Nefariousness aplenty. See our Trojan:Win32/Necurs family write-up for the full details.

In this blog we want to concentrate on some of Necurs’s more notable techniques for accomplishing these goals.

Necurs provides a command option system which uses an obfuscated method for determining which commands are valid. The full Necurs command structure appears as follows:

Figure 1: Necurs command structure

The Key1 and Key2 are fixed values representing the actual command. If a function is built into the Necurs instance, both fixed key values can be found in memory. Figure 2 shows how the Necurs command system works:

Figure 2: Necurs command search

The bNecurs_CmdSearchA() function is in charge of the Necurs command validation. This function takes four parameters: Skey1 and Skey2 are the command keywords to search, and OUT_Buf and OUT_BufLen are the carriers for the actual command buffer. Different Necurs variants have different key data; however, the Skey1 and Skey2 are fixed values in all of the variants in charge of checking if the key data exists. The bNecurs_CmdSearchA() function returns true if Skey1 and Skey2 are found, which indicates this command is implemented in the particular Necurs variant.

Some of the translated Necurs keys are as follows:

Figure 3: Necurs-specific command key values

Necurs uses what appear to be randomly numbered keys to identify if a command needs to be functional. Given the lack of readability of the keys, it follows that the Necurs author(s) maintains some kind of interface to facilitate both the identification and enabling of commands. The author has a full Necurs command list and the attacker has the option to enable some of them or not. Necurs doesn’t want its commands to be easily recognized by the antivirus researcher, so the command keys appear to be random numbers, garbage code or obfuscated code.

A troubleshooting/bug report module is implemented in Necurs using an exception handling mechanism. Figure 4 shows the details:

Figure 4: Necurs troubleshooting/bug reporter module

We can see a top exception handler is set. Information about which error type occurred in which thread and at which address are sent to the Necurs controller domain directly. These records are used by the attacker to locate the buggy module efficiently and improve the malware code to make it more stable.

It’s no surprise these days that prevalent malware families are using known encryption algorithms such as RC4, MD5 and SHA1 to encrypt/verify their network traffic data when sending or receiving, and Necurs is no exception. Necurs uses MD5 and SHA1 to encrypt/verify its network traffic data when sending or receiving and the sending format is the same as that used by other currently prevalent malware. Figure 5 shows the details:

Figure 5: Necurs application/octet-stream format data

As we can see, Necurs uses the “application/octet-stream“, which is actually a generic content (MIME) type. By using this format, it’s obvious that Necurs wants to maintain receiving its data in a clear view.

Strong anti-security features are provided by the Necurs driver. The driver has a very clear goal: protecting every Necurs component from being removed. From our monitoring of this threat, we’ve observed that the driver is regularly updated. This driver isn’t just being used by Necurs; we’ve found evidence some rogue families, such as Winwebsec, are also using it. Both 32-bit and 64-bit versions are provided. In order to bypass PatchGuard on 64-bit operating systems, a test-signing method is enabled for this purpose. Figure 6 shows the details:

Figure 6: Enable the TESTSIGNING boot configuration

The TESTSIGNING boot configuration option determines whether Windows Vista and later versions of Windows will load any type of test-signed kernel-mode code. This option is not set by default, which means test-signed kernel-mode drivers will not load by default on 64-bit versions of Windows Vista and later versions of Windows. In order to make its malicious driver load, Necurs runs the BCDEdit command “bcdedit.exe –set TESTSIGNING ON” to enable the TESTSIGNING boot configuration.

Necurs blocks a long list of AV products (see the family description for a comprehensive list of affected products). The method used for blocking is simple but efficient: modify the entry point of the executable image in memory and return an unsuccessful status. Figure 7 shows the details:

Figure 7: Necurs entry point patch code

The eax register represents the entry point. The dwords 0x1B8 and 0x8C2C0 are written to the entry point. The red block above on the right shows the corresponding assembly code.

Finally, we’ve had reports from a number of users stating that they’re having trouble with the Microsoft Security Essentials real time protection option being turned off after their computer has rebooted. We will continue to monitor variants of Necurs in the wild to ensure that users are protected from this threat.